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ENCRYPTING CONVERSION APPARATUS, system, a real-time cryptographic processing is indispens- 

DECRYPTING CONVERSION APPARATUS, able in order to send and receive exchange data at real time 

CRYPTOGRAPHIC COMMUNICATION and protect the exchange data from bugging and unautho- 

SYSTEM, AND ELECTRONIC TOLL rized alteration. 



COLLECTION APPARATUS 



SUMMARY OF THE INVENTION 



CROSS-REFERENCE TO RELATED ti . . . t , ; t . t . t . t 

APPLICATION ^ an °k-J ect °* * e P resent invention to provide an 

encrypting conversion apparatus, a decrypting conversion 

This application relates to an application U.S. Ser. No. apparatus, a cryptographic communication system and an 

09/130,529 filed on Aug. 4, 1998 by Makoto Aikawa et al 10 electronic toll collection apparatus capable of changing 

entitled "DATA ENCRYPTING/DECRYPTING CONVER- algorithms of cryptographic conversion to hide the algo- 

SION METHODS AND APPARATUSES AND DATA rithm in use from a third party so that the apparatuses and 

COMMUNICATION SYSTEM ADOPTING THE SAME" system are resistant against a cryptographic attack and can 

and assigned to the present assignee. The disclosure of that ^ operate at high speed. 

application is hereby incorporated by reference into the According to one aspect of the present invention, there is 

disclosure of this application. provided an encrypting conversion apparatus for inputting at 

t, . mrr , Tv „ rT , k ^^ vr least one cipher key, at least one algorithm parameter, and 

BACKGROUND OF THE INVENTION pkin tcx| ^ and > utputUng ciphcr h tcx t data, the apparatus 

1. Field of the Invention 2 0 com prising: a plurality stage of encrypting conversion 
The present invention relates to techniques for encrypting/ mcans for executing each of an exclusive logical sum 

decrypting digital data transferred among computers, house- operation, a cyclic shift operation and an addition operation 

hold information processing appliances, and electronic toll al ea f oncc > where f th u e encrypting conversion means 

collection apparatuses includes at least one of each of nrst to third operation means, 

. * „ the first operation means executes either an exclusive logical 

2. Description of the Related Art 25 ^ operation or fln additioQ operalion of input ^ and a 

Enciphering techniques for preventing an illegal copy of portion of data generated from data of the cipher key, the 

digital data are essentia! for digital household information sccond operat i on mcan s executes cither an exclusive logical 

processing appliances. For example, if digital visual data sum operation or an addition operation of input data and a 

received by a digital broadcasting receiver is digitally portion of data determined by the algorithm parameter, and 

recorded in a digital video recorder and the digital visual me third operation means cyclically shifts input data by the 

data has a copyright, both the receiver and digital video nurn bcr of bits determined by the algorithm parameter; and 

recorder are required to have a function of protecting the conversions which use combinations of a plurality stage of 

copyright. In order to realize such a copyright protection consecutive encrypting conversion means optionally 

system, it is necessary to prevent alteration and illegal ^ selected from all of the encrypting conversion means and 

copying of digital data by mcans of setting a limitation to usc ^ same i nput data and the same algorithm parameter, 

digital data copying, device authentication, and crypto- are a \\ different. 

graphic techniques such as real time cryptograph of digital According t0 another aspect of the present invention, 



there is provided a decrypting conversion apparatus for 



data. 

An example of conventional cryptographic techniques 4Q inputting' at least one cipher key, at least one algorithm 
may be a symmetric key or common key algorithm, typically parameter, and cipher text data and outpntting plain text 
DES cryptograph disclosed in U.S. Pat. No. 3,962,539. Most dataj thc a p para tus comprising: a plurality stage of decrypt- 
of common key algorithms are characterized in a compli- ^ conver sion means for executing each of an exclusive 
cated cryptogram formed by repeating a simple conversion. logical sum opcrat j on) a cyclic shift operation and an addi- 
Various approaches have been tried in order to improve ^ tion ope ration al least once, wherein: the decrypting con- 
security of cryptograms. For example, a cryptographic vcrsion mcans inc i udcs at i cast onc of eac h of first to third 
attack can be made difficult by increasing the number of operation means, the first operation means executes either an 
repetitions of simple conversions to further disturb statistical exc i us j ve logical sum operation or an addition operation of 
characteristics of cipher texts. inpilt data and a port i on 0 f data generated from data of the 

However, if the number of conversion repetitions is 50 cipher key, the second operation means executes either an 

increased, the processing time required for cryptographic exclusive logical sum operation or an addition operation of 

conversion becomes long. Therefore, a security reinforcing input data and a portion of data determined by the algorithm 

countermeasure through an increase in the number of rep- parameter, and the third operation means cyclically shifts 

etitions of simple conversions is not suitable for real time input data by the number of bits determined by the algorithm 

cryptograph in the copyright protection system. 5S par ametcr; and conversions which use combinations of a 

In an electronic toll collection system (ETC) of a toll plurality stage of consecutive decrypting conversion means 

speed-way which has lately attracted attention, a real-time optionally selected from all of thc encrypting conversion 

cryptographic processing is required, so that the problem as means and use the same input data and the same algorithm 

mentioned above arises. parameter, are all different. 

The electronic toll collection system represents a system 60 According to another aspect of the present invention, 

which is capable of collecting a toll based on an electronic there is provided a cryptographic communication system 

transaction through a wireless communication between an with a common key algorithm for communication between 

antenna provided at a toll collecting station and an on-board a transmitter apparatus and a receiver apparatus having a 

equipment mounted on a car when the car passes through the same cipher key, the transmitter apparatus encrypting a plain 

toll collecting station, the details of which are described in 65 text by using the cipher key to acquire and transmit a cipher 

for example, a Japanese magazine "Card Wave" published text, and the receiving apparatus decrypting the received 

by C-Media, March, 1999, pp42-45. In the referred-to cipher text by using the cipher key to recover the plain text, 
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wherein: the transmitter apparatus includes encrypting con- digital broadcasting receiver. The data receiver 2 may be a 

version means and first algorithm key storing means; the digital video recorder. In this case, the data processing units 

receiver apparatus includes decrypting conversion means 13 and 33 process digital program data of, for example, 

and second algorithm key storing mean; a conversion algo- MPEG2-TS (Transport Stream) distributed by digital broad- 

rilhm to be executed by the encrypting conversion means of 5 casting services. The data processing unit 13 performs a 

the transmitter apparatus is determined by a first parameter reception process, a multiplex/separation process, an expan- 

stored in the first algorithm key storing means of the S10n P rocess > and a transmission process, respectively of 

transmitter apparatus; a conversion algorithm to be executed di g' tal P r °g ram data - whereas me dala Processing unit 33 

by the decrypting conversion means of the receiver appara- Performs a reception process, an expansion process, and a 

tus is determined by a second parameter stored in the second 10 stora 8 e P rocess > respectively of digital program data, 

algorithm key storing means of the receiver apparatus; and Th c data transmitter 1 and data receiver 2 share data 

the cipher text encrypted by the transmitter apparatus by called a cipher key necessary for data encrypting and 

using the cipher key can be correctly decrypted by the decrypting in order to start cryptographic communication, 

receiver apparatus by using the cipher key, only if the cipher Sharing this cipher key is realized by a message exchange 

key as well as the first and second parameters used by the 15 between the key sharing unit 12 of the data transmitter 1 and 

transmitter and receiver apparatuses is same. tne key sharing unit 32 of the data receiver via the commu- 
nication processing units 14 and 34. In this case, the key 

BRIEF DESCRIPTION OF THE DRAWINGS length is determined in accordance with key length data 

stored in a key length data storage means 15 of the data 

FIG. 1 is a block diagram showing a cryptographic transmitter 1. It is desired that the cipher key shared by the 

communication system having a transmitter and a receiver daU , ransmitler x and data receiver 2 ^ changed each ume 

according to an embodiment of the invention. daU ^ transfcrrcd . is because sincc a generat cd cryp- 

FIG. 2 is a block diagram of an encrypting conversion unit togram is different if the cipher key is different, a crypto- 

shown m FIG. 1. graphic attack to a cryptogram by a third party becomes 

FIG. 3 is a block diagram of a key conversion means 25 difficult. There are various methods of sharing a cipher key. 

shown in FIG. 2. For example, key exchange in a key distribution system by 

FIG. 4 is a block diagram of a substitution/permutation DifEe-Hellman may be used which is detailed, for example, 

conversion means shown in FIG. 2. in "Current Cryptograph" by Tatsuaki Okamoto, et al, pub- 

FIG. 5 is a block diagram of a bit train conversion unit Jj*f d J? ^ngyo Tosho Kabushiki Kaisha at pp. 200 to 202. 

shown in FIG 4 30 v excDan 6 e > 11 15 verv difficult for a third party 

n „ , , ' t \ - , . . . to infer a cipher key from a tapped message which was 

RG - * p r a r bl ? Ck 813111 a decr yP nn * aversion unit exchanged for sharing me cipher key? aad it possible t0 

shown in Hu, 1. s ^ are a c jp ncr j^y m kig n secrecy each time data is trans- 

FIG. 7 is a block diagram of a substitution/permutation ferred. 

conversion means shown in FIG. 6 according to another 35 the ci p ner k ey is shared, the data processing unit 13 

embodiment of the invention. of me data transmitter 1 supplies the encrypting conversion 

FIG. 8 is a block diagram of a key conversion means unit 11 with data to be transmitted. Data supplied from the 

according to another embodiment of the invention. data processing unit 13 is still not encrypted, and such data 

FIG. 9 is a block diagram of a substitution/permutation is called hereinafter a "plain text". The encrypting conver- 

means according to another embodiment of the invention. 10 sion unit 11 is constituted of an encrypting conversion 

FIG. 10 is a block diagram of a bit train conversion unit means 20 > a kev conversion means 23 and an algorithm key 

according to another embodiment of the invention. stora S c mcans 24 - T 1 * kcv conversion means 23 generate a 

„_ „ . . . . . , ■ , ,1 plurality set of data called a conversion key in accordance 

FIG. 11 is a block diagram showing an electronic toll ^ fc and k fc ^ ^ ^ fc ± ^ 

collecting system as another embodiment of cryptographic t ^1 . ,1 ♦ , . , . ■ , . ■ . 

. 45 represents the length or a cipher key determined by cipher 

communication of the invention. , r . . ™ °, ... , , , r 

key sharing. The algorithm key storage means 24 stores a 

FIG. 12 is a chart illustrating communication flows of the plurality set of data called an algorithm key. An encrypting 

electronic toll collecting system. conversion algorithm to be executed by the encrypting 

FIG. 13 is a chart illustrating cryptographic coramunica- conversion means 20 is determined by the algorithm key. By 

tion of the electronic toll collecting system. 50 using the conversion key generated by the key conversion 

means 23 and the algorithm key stored in the algorithm key 

storage means 24, the encrypting conversion means 20 

encrypts the plain text and outputs a cipher text. The cipher 

Embodiments of the invention will be described with text generated by the encrypting conversion unit 11 is 

reference to the accompanying drawings. 55 transmitted from the communication processing unit 14 to 

FIG. 1 is a block diagram showing the configuration of a the data receiver 2, 

cryptographic communication system in which a dala trans- The communication processing unit 34 of the data 

mitter equipped with an encrypting conversion apparatus of receiver 2 receives the cipher text and supplies it to the 

the invention cryptographically communicates with a data decrypting conversion unit 31. The decrypting conversion 

receiver equipped with a decrypting conversion apparatus of 60 unit 31 is constituted of a decrypting conversion means 40, 

the invention. Referring to FIG. 1, the data transmitter 1 has a key conversion means 43 and an algorithm key storage 

an encrypting conversion unit 11, a key sharing unit 12, a means 44. The key conversion means 43 has a structure 

data processing unit 13, a communication processing unit similar to that of the key conversion means 23, and generates 

14, and a key length dala storage means 15. The data a conversion key in accordance with the cipher key and key 

receiver 12 has a decrypting conversion unit 31, a key 65 length data. The algorithm key storage means 44 has a 

sharing unit 32, a data processing unit 33, and a comrauni- structure similar to that of the algorithm key storage means 

cation processing unit 34. The data transmitter 1 may be a 24, and stores an algorithm key. A decrypting conversion 
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algorithm to be executed by the decrypting conversion 
means 40 is determined by the algorithm key. By using the 
conversion key generated by the key conversion means 24 
and the algorithm key stored in the algorithm key storage 
means 44, the decrypting conversion means 40 decrypts the 5 
cipher text. In this case, only if the decrypting conversion 
means 20 uses the same algorithm key as that used by the 
encrypting conversion means 20, the decrypting conversion 
means 40 can decrypt the cipher text encrypted by the 
encrypting conversion means 20 into the original plain text. JQ 
The plain text output from the decrypting conversion unit 31 
is supplied to the data processing unit 33 to process data. 

As described above, the data transmitter 1 and data 
receiver 2 can cryptographically communicate with each 
other only if they have the same algorithm key. Crypto- 15 
graphic communication with an authentication function can 
be realized by maintaining this algorithm key as secret 
information. Namely, if the correct algorithm key is held by 
only an authorized apparatus, cryptographic communication 
can be performed for only the authorized communication 20 
partner apparatus. In order to realize this, a key management 
facility 3 for generating algorithm keys and collectively 
managing them is provided as shown in FIG. 1. As shown, 
authorized apparatuses (in this example, the data transmitter 
1 and data receiver 2) acquire the algorithm key from the key 25 
management facility 3 without being tapped by a third party. 
For example, an algorithm key managed by the key man- 
agement facility 3 may be embedded in the algorithm key 
storage means 24 and 44 when the data transmitter 1 and 
data receiver 2 are manufactured. In this case, the data 30 
receiver 11 also acquires the key length data at the same 
time. In this manner, a cipher text transmitted from an 
authorized apparatus having a correct algorithm key can be 
decrypted only by an authorized apparatus having the cor- 
rect algorithm key. In addition lo the cipher key, the algo- 35 
rithm key is also secret information so that a cryptographic 
attack by a third party to a cipher text flowing on the 
communication path becomes more difficult. 

Furthermore, since the data transmitter 1 generates a 
cipher key basing upon the key length data acquired from the AQ 
key management facility 3, the length of the cipher key can 
be renewed. For example, if renewed key length data is 
embedded in a newly manufactured data transmitter, cryp- 
tographic communication with the newly manufactured data 
transmitter can be performed by using a cipher key having 45 
the renewed length. Therefore, it is possible to elongate the 
key length of a cipher key in the future to thereby further 
improve security. The key length may be changed in each 
area where apparatuses are shipped. 

FIG. 2 is a detailed block diagram showing an example of 50 
the encrypting conversion unit 11. It is assumed that the 
encrypting conversion unit 11 receives a plain text of 64 bits, 
a cipher key of 40 or 64 bits and key length data of one bit, 
and outputs a cipher text of 64 bits. With reference to the key 
length data, the key conversion means 23 converts the cipher 55 
key into conversion keys Kl and K2 each having 32 bits. 
The key length data takes "0" if the cipher key has 40 bits, 
and "1" if the cipher key has 64 bits. Conversion by the key 
conversion means 23 will be later described. The encrypting 
conversion means 20 of the encrypting conversion unit 11 is 60 
constituted of N substitution/permutation conversion means 
21j to 21^. A conversion algorithm to be executed by the 
substitution/permutation conversion means 21 n (where 
1 ^n^N) is determined by an algorithm key G„ stored in the 
algorithm key storage means 24. 65 

A plain text is separated into upper 32 bits R 0 and lower 
32 bits Lo and input to the substitution/permutation conver- 
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sion means 21 1 whereat a first encrypting conversion is 
performed by using the conversion keys Kl and K2 to output 
32 bits Rj.and 32 bits Lj. These bits R, and Lj are input to 
the substitution/permutation conversion means 21 2 whereat 
a second encrypting conversion is performed by using the 
conversion keys Kl and K2 lo output 32 bits R 2 and 32 bits 
L;. Such encrypting conversion is repeated N times and the 
last outputs of 32 bits R# and 32 bits L N are combined to 
obtain a cipher text of 64 bits. The total number N of 
encrypting conversion repetitions is called a round number. 

Consider now the case wherein the cipher key is fixed and 
the same data is input to an optional combination of two or 
more consecutive substitution/permutation conversion 
means selected from all the substitution/permutation con- 
version means. In this case, the conversion result is deter- 
mined by the algorithm keys Gn. In the encrypting conver- 
sion apparatus of this invention, it is assumed that only 
algorithm keys which provide different conversion results 
for all combinations are used. Namely, a periodicity does not 
appear on encrypting conversion which uses a plurality of 
substitution/permutation conversion means. In this way, 
secrecy of encrypting conversion can be improved. 

FIG. 3 is a block diagram showing an example of the key 
conversion means 23 shown in FIG. 2. Referring to FIG. 3, 
the key conversion means 23 is constituted of a register 26 
of a 64-bit length, a multiplexer 27 and an addition operation 
unit 28. A cipher key is first loaded in the register 26. If the 
cipher key has 40 bits, it is loaded in the lower 40 bits of the 
register 26, whereas if the cipher key has 64 bits, it is stored 
in all bits of the register 26. The lower 32 bits of the register 
26 are used as the conversion key Kl. If the key length data 
is "0", 32 bits of the register 26 from the lower 9-th bit to 
the lower 40-th bit are selected as an input to the multiplexer 
27. If the key length data is "1", the upper 32 bits of the 
register 26 are selected as an input lo the multiplexer 27. An 
output of the multiplexer 27 is subjected to a 32-bit addition 
of Kl at the addition operation unit 28, the result being K2. 
A result of the 32-bit addition is a remainder of a usual 
addition result divided by 2 raised to a power of 32. 

FIG. 4 is a block diagram of the substitution/permutation 
conversion means 21„ shown in FIG. 2 which executes the 
n-th (l^n^N) encrypting conversion. 

Referring to FIG. 4, the substitul ion/permutation conver- 
sion means 21„ is constituted of a bit train conversion unit 
61 and an addition operation unit 62. R„_j and L„_j are 
converted into R„ and L„ by using the conversion keys Kl 
and K2. First, the substitution/permutation conversion 
means 21„ inputs L M _ 1 to the bit train conversion unit 61. 
The conversion algorithm to be executed by the bit train 
conversion unit 61 is determined by the algorithm key G n . 
An input U to the bit train conversion unit 61 is related to an 
output Z from the unit 61 by the following equation: 

z^Fa.gci. fO-.U) 

where the function F G „, indicates a conversion by the bit 
train conversion unit 61. The algorithm key G n is constituted 
of the following data: 

fl„, c m p„, G„, s„) 

where A„, B„, and C„ arc 32-bit data, and P„, Q„, and S„ arc 
expressed by 1^531, lSQ n S31, and 1§S„S31. The 
values of the algorithm key G„ may take different values at 
each n (lin5N). 

Next, R^j is input to the addition operation unit 62 
whereat a 62-bit addition of Z„ is performed, the result being 
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L„. L n _ 1 is used as R n . Hie above -described conversion is 
summarized as in the following: 

FIG. 5 is a block diagram showing an example of the bit 
train conversion unit 61 shown in FIG. 4. The bit train 
conversion unit 61 is constituted of five bit train converters 

81 to 85. The bit train converter 81 includes an exclusive 
logical sum (exclusive-OR) unit 94. The bit train converter 

82 includes an addition calculation unit 95 and a cyclic shift 
unit 91. The bit train converter 83 includes an addition 
calculation unit 96 and a cyclic shift unit 92. The bit train 



operation unit 98 performs a 32-bit addition of three inputs. 
Of the three inputs, one is the data G„ which is a fraction of 
the algorithm key G„ shown in FIG. 4, another is an input 
value Y to the bit train converter 85, and the other is the data 
Sn to be cyclically shifted to the left. A conversion by the bit 
train converter 85 is given by: 

z-y+(r<«s„)+c n 

where Z is an output value of the bit train converter 85. 

As described above, the five bit train converters 81 to 85 
of the bit train conversion unit 61 perform a bit train 
conversion by processing data to be converted. The order of 
processing data by the five bit train converters 81 to 85 of the 
bit train conversion unit 61 may be changed. This changed 
converter 84 includes an addition operation unit 97. The bit 15 configuration is also included in the scope of the present 
train converter 85 includes an addition calculation unit 98 invention. For-example, in place of the order of bit train 
and a cyclic shift unit 93. converter 81—82—83— 84— 85, the order of bit train con- 

The exclusive logical sum unit 94 of the bit train converter version functions 84—83— 81 —85—82 may also be used. 
81 executes an exclusive logical sum operation of two input Although the five bit train converters 81 to 85 are constituted 
values. Of the two input values, one is Kl shown in FIG. 4 20 of one exclusive logical sum unit, three cyclic shift units, 
and the other is U shown in FIG. 4, i.e., an output value to ' * ' * 

the bit train conversion unit 61 or bit train converter 81. A 
conversion by the bit train converter 81 is given by: 



25 



and four addition operation units, they may be constituted of 
at least one addition operation unit and at least one cyclic 
shift operation unit capable of executing substitution/ 
permutation/mixture conversion, with similar expected 
advantages of the invention. 

FIG. 6 is a block diagram showing the details of the 
decrypting conversion unit 31 shown in FIG. 1. The decrypt- 
ing conversion unit 31 decrypts a cipher text encrypted by 
the encrypting conversion unit 11 shown in FIG. 2 into the 
The cyclic shift unit 91 of the bit train converter 82 30 original p i ain text . Th e decrypting conversion unit 31 



where V is an output value of the bit train converter 81 and 
an expression of X©Y indicates an exclusive logical sum of 
X and Y. 



cyclically shifts to the left only the data P M (l^P n £31) 
which is a fraction of the algorithm key G„. The addition 
operation unit 95 performs a 32-bit addition of three inputs. 
Of the three inputs, one is the data A„ which is a fraction of 



receives a cipher text of 64 bits, a cipher key of 40 bits or 
64 bits, and key length data of one bit, and outputs a plain 
text of 64 bits. The decrypting conversion means 40 of the 
decrypting conversion unit 31 is constituted of N 



the algorithm key G„ shown in FIG. 4, another is an input 35 su b st itution/permutation conversion means 41„ to 41„. A 

conversion algorithm to be executed by the substitution/ 
permutation conversion means 41n (where l^n^N) is 
determined by an algorithm by G„ stored in the algorithm 
key storage means 44. 
40 A cipher text is separated into upper 32 bits RN and lower 
32 bits L N and input to the substitution/permutation conver- 
sion means 41, whereat a first decrypting conversion is 
performed by using conversion keys Kl and K2 lo output 32 
bits Rjv.j, and 32 bits L^. These bits R^_, and are 



value V to the bit train converter 82, and the other is the data 
Pn to be cyclically shifted to the left. A conversion by the bit 
10 train converter 82 is given by: 

W-V+{V<«P„)+A„ 

where W is an output value of the bit train converter 82 and 
an expression of X<«Y indicates a cyclic shift of X to the 
left by Y-bil. 

The cyclic shift unit 92 of the bit train converter 83 



cyclically shifts to the left only the data Q n (1^Q„^31) « input to the substitution/permutation conversion means 41 2 

which is a fraction of the algorithm key G„. The addition whereat a second decrypting conversion is performed by 

operation unit 96 performs a 32-bit addition of three inputs. using the conversion keys Kl and K2 to output 32 bits R„_ 2 

Of the three inputs, one is the data B„ which is a fraction of and 32 bits L„_ 2 . Such decrypting conversion is repeated N 

the algorithm key G„ shown in FIG. 4, another is an input times and the last outputs of 32 bits R 0 and 32 bits Lq arc 

value W to the bit train converter 83, and the other is the data 50 combined to obtain a plain text of 64 bits. Similar to the 



Pn to be cyclically shifted to the left. A conversion by the bit 
train converter 83 is given by: 

X-W+(W«<QJ+B„ 

where W is an output value of the bit train converter 83. 

The addition operation unit 97 of the bit train converter 84 
performs a 32-bit addition of two inputs. Of the two inputs, 
one is K2 shown in FIG. 2 and the other is an input X to the 
bit train converter 84. A conversion by the bit train converter 
84 is given by: 

Y-K2+X 

where Y is an output value of the bit train converter 84. 

The cyclic shift unit 93 of the bit train converter 85 
cyclically shifts to the left only the data S„ (1^S„^31) 
which is a fraction of the algorithm key G n . The addition 



55 



60 



encrypting conversion, the total number N of decrypting 
conversion repetitions is called a round number. 

Consider now the case wherein the cipher key is fixed and 
the same data is input to an optional combination of two or 
more consecutive substitution/permutation conversion 
means selected from all the substitution/permutation con- 
version means. In this case, the conversion result is deter- 
mined by the algorithm keys Gn. In the encrypting conver- 
sion apparatus of this invention, it is assumed that only 
algorithm keys which provide different conversion results 
for all combinations are used. Namely, a periodicity does not 
appear on decrypting conversion which repetitively uses 
substitution/permutation conversion means. 

FIG. 7 is a block diagram of the substitution/permutation 
conversion means 41„ shown in FIG. 6 which executes the 
(N+l-n)-th (l^n^N) decrypting conversion. Referring to 
FIG. 7, the substitution/permutation conversion means 41„ 
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is constituted of a bit train conversion unit 61 described with 
reference to FIG. 5 and a subtraction operation unit 72. R„ 
and are converted into R„_, and by using the 
conversion keys Kl and K2. First, the substitution/ 
permutation conversion means 41„ inputs R„ to the bit train 5 
conversion unit 61. The conversion algorithm to be executed 
by the bit train conversion unit 61 is determined by the 
algorithm key G„. An input to the bit train conversion unit 
61 is represented by U and an output from this unit 61 is 
represented by Z. Next, L„ is input to the subtraction 10 
operation unit 72 to perform a 32-bit subtraction of Z, the 
result being R„. A result of the 32-bit subtraction is a usual 
subtraction result added to 2 raised to a power of 32, if the 
usual subtraction result is negative. Lastly, R„ is used L„_,. 
The above-described conversion is summarized as in the 15 
following: 

This conversion is an inverse conversion of the 20 
substitution/permutation conversion means 21n described 
with reference to FIG. 2. If the decrypting conversion unit 31 
has the same cipher key and algorithm key as those of the 
encrypting conversion unit 11, the decrypting conversion 
unit 31 can decrypt data encrypted by the encrypting con- 25 
version unit 11, in the manner described above. 

The embodiment of the data transmitter 1 equipped with 
the encrypting conversion unit and the data receiver 2 
equipped with the decrypting conversion unit have been 
described above in detail. It is obvious that a configuration 30 
partially changing the above-described configuration is 
included in the scope of the present invention. For example, 
although the cipher key has 40 bits or 64 bits and the key 
length data has one bit, the invention is not limited only 
thereto. For example, the cipher key may have the desired 35 
number of bits in the range from 40 to 128 bits and the key 
length data has 7 bits in order to identify each cipher key. In 
this case, the key conversion means is provided with a 
selector which selects a position where a cipher key is 
selected in accordance with the input key length data, in 40 
order to generate two conversion keys of 32 bits. Four 
conversion keys of 32 bits may be generated for a cipher key 
having 64 bits or more. In this case, N substitution/ 
permutation conversion means are divided into two groups 
to each of which two conversion keys are supplied. 45 

In order to generate a plurality of conversion keys, 
substitution/permutation conversion means used for 
encrypting conversion may be used. For example, a key 
conversion means for generating eight conversion key of 32 
bits will be described. so 

Referring to FIG. 8, the key conversion means 23 is 
constituted of eight substitution/permutation conversion 
means 21j to 21 8 and an extension key storage means 100. 
The extension key storage means 100 stores eight extension 
keys KEj to KE 8 having a 32-bit length to be used for 55 
conversion keys. A cipher key having 64 bits is sequentially 
converted by the eight substitution/permutation conversion 
means 21, to 2 1 8 . A conversion algorithm to be used by each 
substitution/permutation conversion means is determined by 
each algorithm key stored in the algorithm storage means 24. 60 
Extension keys stored in the extension key storage means 
100 arc input to each substitution/permutation conversion 
means. For example, extension keys KE, and KE 4 are input 
to the substitution/permutation conversion means 21^. 

By performing the conversion, outputs 1^ to Lg of the 65 
eight substitution/permutation conversion means 21, to 21 a 
are used as the eight extension keys. 
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The same extension keys stored in the extension key 
storage means may be used each time data is processed, or 
may be renewed by a method similar to the algorithm keys. 
A key sharing process may also be executed for the exten- 
sion keys by a method similar to the cipher key. The key 
conversion means 23 described with reference to FIG. 8 can 
use the substitution/permutation conversion means same as 
that used by encrypting conversion. Therefore, for example, 
if the encrypting conversion apparatus of the invention is 
implemented by hardware, encrypting conversion can be 
realized with a small circuit scale and with high security. 

Next, the encrypting conversion apparatus and decrypting 
conversion apparatus according to another embodiment of 
the invention will be described. 

The block diagram of the encrypting conversion apparatus 
of this embodiment is the same as that shown in FIG. 2 of 
the first embodiment described earlier. 

FIG. 9 is a block diagram of a substitution/permutation 
conversion means 21, of this embodiment in the encrypting 
conversion unit 11 shown in FIG. 2 which executes the n-th 
encrypting conversion. Referring to FIG. 9, the substitution/ 
permutation conversion means 21 n is constituted of a bit 
train conversion unit 361 and an operation unit 362. The 
operation unit 362 executes either an exclusive logical sum 
operation or an addition operation of two inputs. Which 
operation the operation unit 362 executes is determined by 
an algorithm key. The conversion process to be executed by 
the substitution/permutation conversion means 21„ is the 
same as described with the first embodiment. 

FIG. 10 is a block diagram showing an example of the bit 
train conversion unit 361 shown in FIG. 9. The bit train 
conversion unit 361 is constituted of five bit train converters 
81 to 85. The bit train converter 81 includes an operation 
unit 394. The bit train converter 82 includes an operation 
unit 395, an operation unit 396, and a cyclic shift unit 91. 
The bit train converter 83 includes an operation unit 397, an 
operation unit 398, and a cyclic shift unit 92. The bit train 
converter 84 includes an operation unit 399. The bit train 
converter 85 includes an operation unit 400, an operation 
unit 401, and a cyclic shift unit 93. Similar to the operation 
unit 362 shown in FIG. 9, each of the operation units 394 to 
401 executes either an exclusive logical sum operation or an 
addition operation of two inputs. Which operation the opera- 
tion units 394 to 401 execute is determined by an algorithm 
key. The bit train conversion unit 361 performs a bit train 
conversion by applying bit train converter 81 to 85 to data 
to be converted. As described above, in the encrypting 
conversion apparatus of this embodiment, the numbers of 
addition operations and exclusive logical sum operations can 
be determined by algorithm keys. 

Next, a cryptographic communication system using the 
encrypting conversion apparatus and decrypting conversion 
apparatus according to an embodiment of the invention will 
be described. 

FIG. U is a block diagram showing an electronic toll 
collection system. The electronic toll collection system can 
collect, through electronic account settlement, a toll from an 
IC card possessed by a driver of a car running on a toll road, 
at a road side equipment installed on the toll road, without 
slopping the car. Such an electronic toll collection system is 
expected to alleviate traffic congestion and improve user 
convenience through electronic account settlement with IC 
cards. 

The electronic toll collection system shown in FIG. 11 
includes a car 200, a road side equipment 201, an on-board 
equipment 202, an IC card 203, and a key management 
facility 204. 
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The car 200 has the oa-board equipment 202 into which 
the IC card 203 is inserted while the car 200 is driven. 

The road side equipment 201 is installed on the toll road 
and has a function of collecting a toll while the car 200 
passes by. 

The IC card 203 stores in advance contract information of 
the electronic toll collection system. While the car 200 
passes by the road side equipment, the contract information 
is transferred by wireless communication from the oo-board 
equipment 202 inserted with the IC card 203, in order to 
receive routing information and account settlement infor- 
mation from the road side equipment 201. 

In order to maintain security and reliability of such 
processes, it is necessary to verify authentication of contract 
information, routing information and account settlement 
information and to prevent illegal alteration and tapping of 
the information. Between the IC card and on-board equip- 
ment 202 and between the on-board equipment 202 and road 
side equipment, it is necessary to execute an authentication 
process for a communication partner, a sharing process of 
sharing a cipher key to be used for encrypting/decrypting 
exchange data, and a cryptographic communication using 
the shared cipher key. To these third party authentication 
process, cipher key sharing process and cryptographic 
communication, the encrypting and decrypting conversion 
apparatuses of the invention can be applied. 

In order to realize the above-described processes, the 
on-board equipment 202, IC card 203 and road side equip- 
ment 201 are required to store in advance a shared algorithm 
key and a license key issued by the key management facility 
204. For example, these keys may be embedded during 
manufacture. 

The details of the algorithm key and encrypting and 
decrypting conversions set by the algorithm key have been 
given above. 

The license key is embedded in an authorized equipment 
as secret information and is used for reliably executing the 
authentication process and cipher key sharing process. Con- 
sider for example that an equipment B confirms whether or 
not an equipment A is an authorized equipment, in order to 
communicate with the equipment A. In this case, the equip- 
ment A provides the equipment B with certification that the 
license key of the equipment A is correct. Since the license 
key is secret information, the equipment A is required to 
provide the equipment B with certification that the license 
key is correct, without making open the license key. This 
certification can be realized by utilizing cryptographic tech- 
niques. For example, a symmetric key algorithm is described 
in ISO 9798-2 which is international specifications for 
security mechanism. As a specific example of the symmetric 
key algorithm, the encrypting and decrypting conversion 
apparatuses of the invention can be used. 

Elements constituting the apparatuses shown in FIG. 11 
will be described. 

The road side equipment 201 is constituted of a wireless 
communication unit 232, an encrypting/decrypting process 
unit 230, a partner authentication/key sharing process unit 
233, a main control unit 235, and a data storage unit 234. 

The on-board equipment 202 is constituted of a wireless 
communication unit 212, an encrypting/decrypting process 
unit 210, an IC card communication unit 211, a partner 
authentication/key sharing process unit 213, a data storage 
unit 214, and a main control unit 215. 

The IC card 203 is constituted of an IC card communi- 
cation unit 221, an encrypting/decrypting process unit 220, 
a partner authentication/key sharing process unit 223, a data 
storage unit 224, and a main control unit 225. 
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The encrypting/decrypting process units 210, 220 and 230 
have the encrypting and decrypting conversion apparatuses 
of the invention described previously and can encrypt and 
decrypt data. 

S The IC card communication units 211 and 221 are used 
for communication between the on-board equipment 202 
and IC card 203. 

The wireless communication units 212 and 232 are used 
for wireless communication between the on-board equip- 

10 mem 202 and road side equipment 201. 

The encrypting/decrypting process units 210, 220 and 230 
execute the authentication process of confirming whether a 
communication partner is authorized and a sharing process 
of sharing a cipher key to be used for data encryption and 

15 decryption. The partner authentication/key sharing process 
unit 213 uses an encrypting/decrypting conversion function 
supplied from the encrypting/decrypting process unit 210 in 
order to execute the partner authentication and key sharing 
process. In order to realize similar functions, the partner 

20 authentication/key sharing process unit 223 uses the 
encrypting/decrypting process unit 220. Similarly, the part- 
ner authentication/key sharing process unit 233 uses the 
encrypting/decrypting process unit 230. 

The data storage units 214, 224 and 234 store the algo- 

25 rithm key and license key acquired from the key manage- 
ment facility 204, and may also store contract information, 
routing information and account settlement information. 

FIG. 12 is a flow chart illustrating communications to be 
executed by the electronic toll collection system shown in 

30 FIG. 11. 

In the flow chart shown in FIG. 12, a partner 
authentication/key sharing process 240 is first performed 
between the IC card 203 and on-board equipment 202 when 
the IC card 203 shown in FIG. 11 is set to the on-board 

35 equipment 202. After the partner authentication/key sharing 
process 240 is succeeded, the IC card 203 performs a 
cryptographic communication 241 to transfer contract infor- 
mation to the on-board equipment 202. Upon reception of 
the contract information from the IC card 203, the on-board 

40 equipment stores in secret the contract information in the 
data storage unit 214 (FIG. 11). 

Next, a partner authentication/key sharing process 250 is 
performed between the on-board equipment 202 and road 
side equipment 201 while the car 200 shown in FIG. 11 

45 passes by the road side equipment 201. After the partner 
authentication/key sharing process 250 is succeeded, the 
on-board equipment 202 performs a cryptographic commu- 
nication 251 to transfer the contract information supplied 
from the IC card to the road side equipment 201. This 

50 cryptographic communication 251 is also used for transfer- 
ring routing information and account settlement information 
from the road side equipment 201, to the on-board equip- 
ment 202. 

Next, the on-board equipment 202 performs a crypto- 
55 graphic communication 261 to transfer the routing informa- 
tion and account settlement information acquired from the 
road side equipment 201, to the IC card 203. 

Account settlement for road toll is made between the IC 
card 203 and road side equipment 201. However, commu- 
60 nication between the IC card 201 and road side equipment 
201 is required to use the on-board equipment 202. In this 
case, if the on-board equipment 202 make an illegal process, 
an illegal account settlement may be performed. In order to 
avoid such a process, it is necessary for the road side 
65 equipment 201 to identify the on-board equipment 202 used 
with the IC card 203 for account settlement. For example, 
the onboard equipment 202 is assigned an identification 
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number and transfers it to the IC card 203 during the partner 
authentication/key sharing process 240 with the IC card. 

The IC card 203 generates a digital signature for both the 
identification number of the on-board equipment 202 and 
account settlement history of the IC card 203 and returns 5 
them to the on-board equipment 202. The onboard equip- 
ment 202 transfers the identification number and the digital 
signature acquired from the IC card 203, to the road side 
equipment 201 during the partner authentication/key sharing 
process 250, Thereafter, the road side equipment 201 verifies 10 
the digital signature generated by the IC card 203 to check 
the time when the on-board equipment 202 was used. 

It is also necessary to prevent a third party to alter 
encrypted data flowing on a communication path during the 
cryptographic communication 241, 251 and 261. In order to 15 
realize this, it is necessary to perform a message authenti- 
cation capable of judging whether the received message is 
correct. In order to perform the message authentication, a 
transmitter and a receiver shares in advance a message 
authentication key which is kept in secret. Sharing the 20 
message authentication key is performed, for example, in the 
partner authentication/key sharing process 250 shown in 
FIG. 12. The transmitter generates data called a message 
authentication code (MAC) from a message to be transferred 
and the message authentication key. The transmitter trans- 25 
mits the message together with the message authentication 
code to the receiver. The receiver verifies the received 
message authentication code by using the message authen- 
tication key. It is possible to judge from this verification 
whether the received message was altered. As the message 30 
authentication, for example, a method using a symmetric 
key algorithm is described in ISO 9797 which is interna- 
tional specifications for security mechanism. As a specific 
example of the symmetric key algorithm, the encrypting and 
decrypting conversion apparatuses of the invention can be 35 
used. 

FIG. 13 is a detailed flow chart illustrating the crypto- 
graphic communication 241 as an example of a crypto- 
graphic communication including message authentication. 
Referring to the flow chart shown in FIG. 13, first the IC card 40 
203 generates a message authentication code at an MAC 
generation process 261. Next, the message to be transferred 
and the message authentication code are coupled at a cou- 
pling process 262. Thereafter, data containing the coupled 
message and message authentication code is encrypted at an 45 
encrypting process 263 to form encrypted data. 

Next, upon reception of the encrypted data, the on-board 
equipment 202 decrypts the data at a decrypting process 264. 
Thereafter, at a separating process 265, the message and 
message authentication code transferred from the IC card are 50 
recovered. Next, the recovered message authentication code 
is verified at a MAC verifying process 266 in order to verify 
the correctness of the received message. 

In the above manner, data not permitted to be altered or 
tapped, such as toll information and routing information, can 55 
be exchanged with security. 

With the above processes, a road toll can be charged to the 
IC card 203 and the toll information can be managed at the 
road side equipment 201. 

According to the present invention, it is possible to realize 60 
an encrypting conversion apparatus, a decrypting conversion 
apparatus, a cryptographic communication system and an 
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electronic toll collection apparatus capable of changing 
algorithms of cryptographic conversion to hide the algo- 
rithm in use from a third party so that the apparatuses and 
system are resistant against a cryptographic attack and can 
operate at high speed. 
What is claimed is: 

1. An encrypting conversion apparatus for inputting at 
least one cipher key, at least one algorithm parameter which 
is independent of said cipher key, and plain text data and 
outputting cipher text data, said encrypting apparatus com- 
prising: 

a plurality stage of encrypting conversion means for 
executing each of an exclusive logical sum operation, 
a cyclic shift operation and an addition operation at 
least once, 

wherein: 

said encrypting conversion means includes at least one 
of each of first to third operation means, said first 
operation means executes either an exclusive logical 
sum operation or an addition operation of input data 
and a portion of data generated from data of the 
cipher key, said second operation means executes 
either an exclusive logical sum operation or an 
addition operation of input data and a determined by 
a portion of said algorithm parameter, and said third 
operation means cyclically shifts input data by the 
number of bits determined dynamically based on a 
portion of said algorithm parameter; and 

conversions which use combinations of a plurality 
stage of consecutive encrypting conversion means 
optionally selected from all of said encrypting con- 
version means and use the same input data and the 
same algorithm parameter, are all different. 

2. Adecrypting conversion apparatus for inputting at least 
one cipher key, at least one an algorithm parameter which is 
independent of said cipher key, and cipher text data and 
outputting plain text data, the apparatus comprising: 

a plurality stage of decrypting conversion means for 
executing each of an exclusive logical sum operation, 
a cyclic shift operation and an addition operation at 
least once, 

wherein: 

said decrypting conversion means includes at least one 
of each of first to third operation means, said first 
operation means executes either an exclusive logical 
sum operation or an addition operation of input data 
and a portion of data generated from data of the 
cipher key, said second operation means executes 
either an exclusive logical sum operation or an 
addition operation of input data and a determined by 
a portion of said algorithm parameter, and said third 
operation means cyclically shifts input data by the 
number of bits determined dynamically based on a 
portion of said algorithm parameter; and 

conversions which use combinations of a plurality 
stage of consecutive decrypting conversion means 
optionally selected from all of said decrypting con- 
version means and use the same input data and the 
same algorithm parameter, arc all different. 
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